Security researcher Barnaby Jack says he's always liked the scene in Terminator II when a young John Connor slips a fake credit card into an ATM, types a few keystrokes into what seems to be an Atari laptop, and pulls out hundreds of dollars. In reality, however, Jack says the hack is actually somewhat easier: all it takes is a USB thumb drive or an Internet connection.

At the Black Hat hacker conference Wednesday, Jack demonstrated two exploits on stage that allowed him to pull off that mythical bits-into-Benjamins stunt: One of the exploits allows anyone to unlock a panel on ATMs, insert a USB key, and overwrite the machine's firmware to take control of the ATM and output cash. Another method allows him to remotely access a machine over the Internet and eject money, or even record a history of users' credit card and PIN numbers as they're entered and send them back to the hacker.

In his demo, Jack both used a pair of tools he'd created known as "Dillinger" and "Scrooge" to demonstrate both the remote attack and the in-person version of the attack, causing one machine to literally spew play money onto the stage, display the word "JACKPOT" and play a song.

"You can walk up and within two seconds you can dump money onto the floor," Jack told us in an interview before his talk. In the remote Internet-based attack, he says, "You don't have to touch the ATM at all."

Here's a video of the cash-spewing exploit in action.

Jack, head of research at cybersecurity consultancy IOActive, wouldn't name any specific ATM manufacturers during his talk, and the two models he used in his exploit onstage had their brands covered with stickers.

But in an interview with reporters after the demo, Jack revealed that the two machines on-stage were built by Triton and Tranax, though he tested others in his research. Jack argued that focusing on any specific ATM manufacturer would miss the point, given that practically every model is likely vulnerable. "Every ATM I've looked at, I've compromised," he says. "There's only so many ATMs you can fit in your apartment before your girlfriend gets mad that they don't go with the furniture."

Most ATMs run Window XP or Windows CE, but the vulnerabilities that Jack used for his hack were instead found in the firmware used by the ATM's manufacturers, and, for the in-person version of the attack, in the physical security on the machines.

In his research, Jack attached a debugger to the motherboard of ATMs he had bought from online vendors. "Just like anything, you just click 'add to cart,'" says Jack. (He told a curious delivery man that he had ordered the ATMs to avoid withdrawal fees.)

Jack then reverse-engineered the machines' code and created his own version of the firmware that could be installed on the machines; Jack found that the Triton ATMs allowed him to "upgrade" their firmware at will via a USB drive. To get access to the machines' USB ports, he used a master key that he purchased online.

More dangerous still is Jack's remote exploit, which would allow him to access Tranax ATMs via an Internet connection and not only cause them to eject cash, but also record the credit card numbers and PINs of users for later identity theft. Though he demonstrated the remote attack with a Wifi-connected laptop on stage, Jack declined to reveal many of the technical details of that exploit.

Like most high-profile hacks at conferences like Black Hat, Jack says the exploit demonstration was intended to help secure its target in the long run, not create a "cookbook" for repeating the attack. "The goal is to raise awareness of the attack vector," he says, "Not to get every kid going out and jackpotting ATMs."

Jack says he's alerted Triton and Tranax to his attack, and both have taken steps to offer fix: a version of the Triton firmware that requires a digital signature in any supposed "upgrade" to prevent rogue overwrites like the one he created was released in November. Jack says he's worked with Tranax to create a workaround for its machines' flaw, which boils down to disabling remote access to the company's ATMs.

But whether the other ATMs that Jack tested remain vulnerable isn't clear. At the time of Jack's demonstration, calls to leading ATM-makers NCR and Diebold weren't returned, though a Diebold spokeswomen responded that an ATM industry association was aware of Jack's attack and would send a statement following Jack's talk.

Jack had planned to give an earlier version of his ATM-hacking demonstration at the Black Hat conference last year, but was pressured to pull the talk because the ATM industry hadn't prepared a patch, even seven months after he had alerted them to the flaw. That slow response time may bode badly for the industry's ability to respond quickly to any future variants of Jack's attack, though he hopes his hands-on demo may change that complacency. "Sometimes you have to demo a threat to spark a solution," he says.